CVE-2022-23710 - OpenCVE

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Kibana

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana:8.0.0:::::::*

No data.

References

Link	Providers
https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447
https://nvd.nist.gov/vuln/detail/CVE-2022-23710
https://security.netapp.com/advisory/ntap-20220325-0009/
https://www.cve.org/CVERecord?id=CVE-2022-23710

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2022-03-03T21:51:43

Updated: 2024-08-03T03:51:45.928Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23710

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-03T22:15:08.900

Modified: 2022-04-18T18:39:40.513

Link: CVE-2022-23710

Redhat

Severity : Moderate

Publid Date: 2022-02-28T00:00:00Z

Links: CVE-2022-23710 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "kibana", "vendor": "Elastic", "versions": [{"status": "affected", "version": "For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2\nFor Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0"}]}], "descriptions": [{"lang": "en", "value": "A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim\u2019s browser."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-25T07:06:33", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220325-0009/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2022-23710", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kibana", "version": {"version_data": [{"version_value": "For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2\nFor Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim\u2019s browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}, {"name": "https://security.netapp.com/advisory/ntap-20220325-0009/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0009/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:45.928Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220325-0009/"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2022-23710", "datePublished": "2022-03-03T21:51:43", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:45.928Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "66051D34-659F-46AD-A819-DF6EAE27EE63", "versionEndIncluding": "7.17.0", "versionStartIncluding": "7.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5E1ED2C2-73D5-4480-9F09-333E11BF4DB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim\u2019s browser."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de tipo cross-site-scripting (XSS) en Data Preview Pane (anteriormente conocido como Index Pattern Preview Pane) que podr\u00eda permitir una ejecuci\u00f3n de JavaScript arbitrario en el navegador de una v\u00edctima"}], "id": "CVE-2022-23710", "lastModified": "2022-04-18T18:39:40.513", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T22:15:08.900", "references": [{"source": "bressers@elastic.co", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220325-0009/"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: cross-site-scripting (XSS) issue (ESA-2022-04)", "id": "2066387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066387"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim\u2019s browser.", "A flaw was found in Kibana\u2019s data preview pane. This issue allows a Cross-Site scripting attack."], "name": "CVE-2022-23710", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-logging-kibana5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-elasticsearch-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2022-02-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23710\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23710\nhttps://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"], "threat_severity": "Moderate"}